CVE-2025-55732

Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857	Patch
https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e	Patch
https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:frappe:frappe::::::::
	cpe:2.3:a:frappe:frappe::::::::

History

22 Aug 2025, 20:52

Type	Values Removed	Values Added
First Time		Frappe frappe Frappe
References	~~() https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857 -~~	() https://github.com/frappe/frappe/commit/24dd2d9420a7c68ce09875cb18586d1bf071c857 - Patch
References	~~() https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e -~~	() https://github.com/frappe/frappe/commit/abe2cc25e333cd794405d12caec4da0279a54e6e - Patch
References	~~() https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp -~~	() https://github.com/frappe/frappe/security/advisories/GHSA-6rpr-2hjx-w9vp - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:frappe:frappe::::::::

22 Aug 2025, 18:09

Type	Values Removed	Values Added
Summary		(es) Frappe es un framework de aplicaciones web integral. Antes de las versiones 15.74.2 y 14.96.15, un atacante podía implementar inyecciones SQL mediante solicitudes especialmente manipuladas, lo que permitía a usuarios malintencionados acceder a información confidencial. Esta vulnerabilidad es una evasión del parche oficial publicado para CVE-2025-52895. Esta vulnerabilidad se ha corregido en las versiones 15.74.2 y 14.96.15.

20 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 16:15

Updated : 2025-08-22 20:52

NVD link : CVE-2025-55732

Mitre link : CVE-2025-55732

CVE.ORG link : CVE-2025-55732

JSON object : View

Products Affected

frappe

frappe

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10